Search engine poisoning named biggest threat

Along with malvertising - malware-infected advertising - the report says that a bad ad will initially appear clean, allowing itself to be checked many times by security software and systems in order to develop clean ratings and a good reputation.

"Taking time to develop clean reputations within ad networks, and passing multiple sweeps for malware, cybercrime develops valuable and trusted positions within web advertising structures before launching attacks leads to a very successful campaign", says the report.

"When the sleeper awakes, routing behind the ad is transformed to take the view or the click-through to a malware host, and the malware connections are able to do their worst in their targeted campaign. Then the next day, they're gone", the report adds.

Cybercrime, the analysis goes on to say, often waits months to establish legitimate ad infrastructures to bite users at a selected optimal time and penetrate past reputation-based defences.

Against this backdrop, Blue Coat's report says that it is clear that, when faced with malvertising, your security systems cannot rely on reputation to decide which ads to block.

"Instead, we need to look to advanced security systems that rate web properties and the ads they depend on in real-time", the study notes.

"Similarly, we cannot rely on waiting for a 'security update' to be applied to the user's computer. It's probably going to be too late. If your security system has any kind of regular `Click here to update definitions file' requirement, it will likely fail to protect your users", the report explains.

Commenting on the report, Steve Daheb, the firm's senior vice president, said that web-based malware has become so dynamic that it is nearly impossible to protect every user from every new attack with traditional defences.

"With a unique comprehensive view of the web ecosystem, Blue Coat web security solutions can identify and track malware networks to proactively protect customers from new attacks that these networks attempt to launch", he said.

Delving into the report makes for interesting reading, as it analyses when and how internet users are drawn into the malware delivery map.

In the first half of 2011, the study shows that search engine poisoning was the most popular malware vector. In nearly 40% of all malware incidents, search engines/portals were the entry point into malware delivery networks.

Unsurprisingly, the report adds, search engines/portals were also the most requested web content during the same time period.

And the solutions? The analysis makes the following observations and suggestions:

Malware hosting is often found within categories, such as online storage and software downloads, that companies typically allow in acceptable use policies.

Businesses should consistently block pornography, placeholders, phishing, hacking, online games and illegal/questionable categories to follow best practices for web security.

Searching for images and pirated media ranks at the top of the list for possible malware delivery, and users engaging in these activities are especially vulnerable.

Finally, a single defence layer, such as a firewall or anti-virus software, is insufficient to protect against the dynamic nature of malware and the extensive infrastructure of malware delivery networks.

Instead, says the report, "businesses need the real-time protection and intelligence that a cloud-based web defence can deliver as it quickly expands and adapts to new threats."